SUMMARY OF TESTIMONY
OF
MICHAEL ‘J’ STAPLEY
PRESIDENT AND CEO
OF
DESERET MUTUAL BENEFIT ADMINISTRATORS
AND
DESERET MUTUAL INSURANCE COOMPANY
P.O. BOX 45530
SALT LAKE CITY, UTAH 84145-0530

BEFORE
THE

NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS
SUBCOMMITTEE ON PRIVACY AND CONFIDENTIALITY

November 7, 2002
Salt Lake City, Utah

I. Introduction:

• Michael ‘J’ Stapley is the President and Chief Executive Officer of Deseret Mutual Benefit Administrators and Deseret Mutual Insurance Company (Deseret Mutual).
• Deseret Mutual, through various entities, including self-funded ERISA trusts, provides and administers financial, health and welfare benefits to affiliated entities of The Church of Jesus Christ of Latter-day Saints compromised of approximately 30 separate entities with about 130,000 plan participants throughout all 50 states.
• Mr. Stapley has also served in the following capacities:
• Chairman of the Board for the Utah Health Information Network;
  • Member and Chairman of the U.S. Department of Labor ERISA Advisory Council;
  • Acting Executive Director, Deputy Director and Director of Office Management Planning for the Utah Department of Health.

II. General Statement

• There is clearly a need for the establishment of uniform laws governing the privacy and protection of individually identifiable health information, and we are very supportive of the present efforts to implement the HIPAA privacy regulations. We recognize the difficulty involved in promulgating and implementing a uniform set of regulations for all covered entities. Following are some areas of concern that we have identified that appear to have not been adequately considered by the drafters of the HIPAA privacy regulations

III. Deseret Mutual’s Response to the Specific Questions Posed by NCVHS:

1. What outreach, education, and technical support programs are needed from OCR, including suggestions for OCR priority settings?

• There are many unanswered technical and legal questions concerning HIPAA that require guidance.
• There are many issues that simply were not anticipated by the drafters of the law or the regulations.
• In some instances, the HIPAA privacy regulations have been drafted more broadly than the underlying HIPAA statute. For example the regulations broaden the definition of group health plan. As a result, there is confusion as to the application of the Privacy regulations to non-group health plans that would otherwise not be regulated under the HIPAA statute, and whether such entities are now required to comply with the portability and pre-existing requirements. Significant guidance and clarification is required on these issues.
• When we have attended various courses and seminars, we have asked the difficult questions of “experts” from both the public and private sector, many of whom were involved with creating the regulations, and have received few answers. There is a tremendous amount of misinformation and simply desperate guessing. The experts have advised covered entities to do their best within the “spirit” of the law to adopt “reasonable” positions and then to wait for OCR or case law to sort out the questions, suggesting that OCR’s enforcement will be “gentle” at first. This advice offers no substantive instruction to employers, health plans or third-party administrators (TPAs).
• More guidance is needed specifically addressing employers’ concerns as plan sponsors and as employee advocates.
• It would be extremely helpful if OCR would create a forum to collect and analyze the specific problems and issues associated with the implementation of HIPAA
• Other suggestions would include OCR establishing a website with fact sheets and frequently asked questions designed to address specific employers’ concerns, including issues related to employers as plan sponsors and as employee advocates, and issues relating to employer provided plans and programs that require the use and disclosure of protected health information.
• OCR should establish an open line of communication, such as an informal hotline for plans and plan sponsors, to ensure easy access to accurate information.
• OCR should establish public/private working groups to identify and address the difficult compliance issues for which no answers are presently available.
• OCR should establish educational programs and otherwise establish safe harbor standards for compliance with HIPAA.

2. What areas are especially in need of guidance from OCR? What difficulties are providers and plans experiencing coming into compliance?

• The biggest area of advice needed from OCR is dealing with the issue of pre-emption of state laws that are more restrictive than HIPAA. It is a practical impossibility to administer ERISA plans nationwide, providing consistent benefits for all covered members, under a patchwork of inconsistent and competing state laws. Such an approach undermines the very intent behind federal preemption of state laws for ERISA plans.
• The state preemption issue is further exacerbated by multi-jurisdictional issues, raising confusion about which state’s privacy laws would govern. A typical scenario would be a citizen of one state who seeks treatment in a second state, and whose health plan may be situated in yet a third state.
• In effect, the HIPAA privacy regulations require companies operating in more than one state to select the most restrictive state law that can be found as the controlling standard for the plan(s). This approach not only creates an impossible administrative burden, with conflicting and competing state laws, but also results in an unfair competitive advantage for plans that only provide benefits in a single state.
• There needs to be ongoing training regarding simple issues such as what is a covered entity under the HIPAA privacy regulations. While HHS has put out a tool on this issue, it seems to be aimed at answering this question from a transactional perspective only.
• There needs to be more understanding of the various roles of employers, and training and education of when and under what circumstances employers are or are not required to act as if they were covered entities. For example, when employers as plan sponsors perform some functions essential to the plan, to what extent do these shared duties extend the definition of “covered entity” back to the employer?
• Employers and plan administrators are having particular difficulty understanding the applicability of the HIPAA privacy regulations to, among other things: administration of medical savings accounts flexible spending accounts or health care accounts; on-site and off-site company-sponsored health clinics; flu shots; pre-employment physical examinations; fitness centers; health promotion and health risk assessment programs; disease management programs; health surveillance activities (toxic exposure, drug use, etc.); employee assistance programs; leave share programs; acting as an advocate of employees, etc. While the primary purpose of many of these activities is not to provide treatment, under certain circumstances they can lead to treatment or to the collection of information later used to provide treatment. Therefore, do employers become covered entities by providing or promoting these various programs? If so then HIPAA’s impact on public health and employee relations could be enormous. The regulations could have a dampening effect on these traditional employer functions and an employer’s ability to continue to offer group health plans to its employees. Additional clarification and guidance on these and other employer-specific issues would be extremely helpful.
• Current guidance is problematic because it is transaction-oriented, suggesting that if a particular activity could give rise to a covered transaction under certain circumstances, the entire activity must comply with the regulation to ensure that the requirements will be met if a covered transaction ever occurs. It would be extremely costly to employers for them to have to comply with the HIPAA privacy regulations just because they might engage in such transactions under certain circumstances.
• In this day and age of electronic communication, it is unreasonable, if not impractical to suggest that the use of e-mail by a covered entity to communicate protected health information would violate the HIPAA privacy regulations.
• There needs to be guidance on coordinating the competing and conflicting regulations of HIPAA and Gramm-Leach-Bliley for companies that administer both financial and welfare benefit plans.
• There needs to be guidance on the practical implications of HIPAA on plans, including issues relating the to contents of explanations of benefits, issues related to minors and other family members, and issues related to flexible spending accounts.
• There needs to be guidance on the issues specific to employer-sponsored self-funded ERISA plans.
• There needs to be guidance on the specific policies, procedures and guidelines that OCR will follow in enforcing the HIPAA regulations.

3. What “best practices” are being done in the industry? Are compilations of best practices available and how are successful implementation strategies being disseminated?

• We know of no “best practice” guidelines for ERISA plans.
• Most of the material we have seen simply re-quotes the law with a simple generic interpretation, but offers little, if any substantive analysis or guidance for specific situations.
• We have spoken with numerous consultants and other plan administrators and there does not appear to be any organized effort among ERISA plans or consultants to create “best practice” guidelines.
• We are unaware of any organized effort among non-ERISA plans or companies to create “best practice” guidelines.
• Since implementation plans are largely incomplete at this time for most organizations, there is little or no information coming from anyone on successful implementation plans.
• Our experience with consultants is that they usually know little more than we do and nothing about our specific operations and related HIPAA needs.

4. What are the available resources for HIPAA compliance (especially no or low cost ones) including those from professional organizations and trade associations? What helpful websites are entities using? What other work has been done and is in the public domain?

• We are aware of some licensable materials that have been assembled. Some of these materials appear very basic, while others analyzing all of the states’ various privacy laws are prohibitively expensive.
• The HIPAA Summit Conferences have been helpful for essential and basic training on the law and general implementation guidelines. However, these conferences are fairly expense and still leave us with many unanswered questions.
• Networking with other plans at conferences has been somewhat helpful, but we find that other plans have many of the same unanswered questions that we do.
• The HIPAA Summit Conference website has been helpful in obtaining basic training and educational material.
• Two additional sources of information that seem to be low cost and of good quality are: (1) NCHICA’s Early View Privacy Tool; and (2) publication(s) by the AMA.
• It may be helpful for OCR to encourage various trade associations to offer their members HIPAA Privacy tools. While the associations are understandably leery of the risk involved, but there needs to be a way for not-for-profit organizations to be able to help their members without incurring a large liability. Perhaps OCR could offer a series of “train the trainer” sessions specifically directed at trade organizations so that they could in turn, help their members.

5. How are covered entities approaching the privacy rule training mandate?

• We are using available printed resources, seminar and conference materials, outside consultants and the regulations themselves to develop training materials for our employees and for participating employers.
• We are developing our own customized training materials.
• We have created three focal points for training. (1) training participating employers as to how the HIPAA privacy regulations will impact their interaction with us; (2) training new employees at the time of hire regarding general company privacy policies and related legal requirements and associated penalties; and (3) training all employees, specific to each work process by division within the company(s).
• Much of the publicly available resource material is either too general for the specific needs of our organizations or too expensive.
• We have found that outside consultants generally do not know or understand enough about our specific needs and operations to help specifically with the training mandate, and that they fees are simply too expensive.

6. Are there any models for public (Federal, state, and local) –private partnership development? How should covered entities go about coalition building and developing consensus procedures?

• Our company is involved in a public-private partnership called the Utah Health Information Network (UHIN). This organization is jointly owned by the Utah health insurance industry, the Utah Medical Association, the Utah Association of Health Care Providers, and selected employers in the State of Utah. UHIN was specifically organized to implement administrative simplification in the health care industry in the state of Utah. UHIN has been responsible for the development of standards for electronic health care commerce and the establishment of communication systems and switches that are necessary for the conducting of electronic commerce. Because of UHIN, Utah has had more success in the implementation of electronic health care commerce than any other state in the Country.
• We are unaware of any other public-private partnerships for any other aspect of HIPAA at this time. NCVHS’s action is sending out this questionnaire and conducting hearings appears to be the first significant effort outside of networking through trade associations.
• There may be some public-private partnership efforts among state-regulated entities, but we are unable to judge the effectiveness of such partnerships at this time, and we are unaware of any similar efforts involving employer plan sponsors.

7. How are entities managing to do the state/Federal preemption analysis fundamental to HIPAA integration and compliance? How should we address the integration of HIPAA and other federal and state laws?

• Most employers and plan administrators lack the resources to conduct the expensive legal analysis of the various states’ privacy laws. Although some materials are available they appear to either be fairly general, or incredibly costly. In any event, no resource materials replace the need for plan sponsors and administrators to conduct their own supplemental analysis.
• There is so much uncertainty regarding the requirements of state and federal law, and so many ongoing changes with states’ privacy laws, that for all practical purposes it is impossible for a plan sponsor or administrator to determine, with any degree of confidence, what the applicable state privacy laws are and how they interact with HIPAA.
• The State/Federal preemption issue ignores the fundamental problem being faced by ERISA plans, that being the requirement to provide uniform benefits. ERISA plans simply cannot administer uniform benefits under the law, unless the most restrictive state law is identified and followed. This would mean that the most restrictive state law would then become the lowest common denominator for purposes of setting the standard for compliance. This approach has many problems, including conflicting and competing state laws and the unfair advantage this would give to non-multistate competitors. Practically speaking, it is virtually impossible for a multistate group health plan to perform the state/Federal preemption analysis required under the HIPAA regulations and to comply with all of the competing privacy laws. The administrative costs associated with such an approach are simply prohibitive.
• The law must be re-written to establish a new nationwide standard, not local state standards.
• A clear and unambiguous clarification must be given that the HIPAA privacy rules do not amend, modify or in any way limit ERISA preemption of state privacy laws with respect to group health plans.
• Can you assess the accuracy and qualify of the information and services of vendors and consultants, especially as they pertain to small providers and health plans?
• There is significant variation in the approach among vendors, especially with regards to whether certain employer-sponsored activities should be treated as “covered entity” or “business associate” activities.
• We have found that the general knowledge and understanding of most vendors and consultants is no greater than our own. They have been able to offer little help because they are not familiar with our specific operation needs and it would take longer and cost more to train them than to do to work with existing staff to address the issues as they relate to our existing work processes.
• No consultant has ever been able to address the more complex issues and questions that we have, simply because no one in the industry has any answers for these issues. Even the experts who helped draft HIPAA are of any help, other than to suggest taking whatever action we may deem “reasonable”.